Windows Forensic Artifacts: Registry, Event Logs, and Prefetch
Identify key Windows artifacts that reveal attacker activity — registry run keys, Security event log entries, and Prefetch files that show what ran and when.
Why Windows Artifacts Matter
Windows systems generate rich forensic artifacts that record user activity, program execution, file access, and network connections. These artifacts exist because Windows was designed for performance and functionality — features like Prefetch (faster app launches) and the Registry (centralized configuration) create forensic records as side effects. Skilled analysts know where to look for evidence that attackers try to hide or delete. Understanding Windows artifacts is fundamental to endpoint forensics.
The Windows Registry as a Forensic Source
The Windows Registry is a hierarchical database storing OS and application configuration settings. It is a goldmine for forensic investigators because it records: recently accessed files and URLs, USB devices ever connected to the system, installed programs and uninstall history, autorun/startup entries (persistence mechanisms), user activity patterns, and network connections. The registry is stored in hive files (NTUSER.DAT, SYSTEM, SOFTWARE, SAM, SECURITY) that persist on disk.
# Key forensic Registry locations
# Persistence (autorun) locations:
# HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
# HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
# HKLM\SYSTEM\CurrentControlSet\Services (services/drivers)
# Recently accessed files (user activity):
# HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
# HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
# USB devices ever connected:
# HKLM\SYSTEM\CurrentControlSet\Enum\USBSTORAll lessons in this course
- Order of Volatility and Evidence Acquisition
- Chain of Custody and Legal Admissibility
- Windows Forensic Artifacts: Registry, Event Logs, and Prefetch
- Network and Memory Forensics